MEMO TO PHARMA: Don’t Get Complacent (DSCSA Deadlines Loom)

According to the World Health Organization ("WHO"), from 1 percent to 10 percent of drugs sold around the world today are counterfeits, and about 50 percent of medicines purchased over the Internet from illegal sites that conceal their physical address have been found to be counterfeit.

Counterfeiting once was seen largely as a problem in developing nations and one that primarily involved so-called lifestyle drugs such as Viagra vs. lifesaving remedies. But WHO data show that 200,000 people a year die due to ineffective, fake and substandard malaria drugs alone (including an estimated 100,000 children in Africa); cancer and heart medications are among the most bootlegged.

Between 2008 and 2012, a string of high-profile counterfeit cases in the United States involving insulin, the cancer drug Avastin and the attention deficit hyperactivity disorder drug Adderall, among others, drew attention to the dangers of fake prescription drugs. The U.S. regulatory response to this growing problem was the 2013 Drug Supply Chain Security Act ("DSCSA"), a law designed to create a uniform, standardized system of serialized drug product information that would allow for the near-instantaneous tracking of certain products through every layer and hairpin turn of the pharmaceutical supply chain.

The DSCSA transforms the way prescription drugs are pedigreed as they pass through the many layers of the U.S. healthcare system. Regulators, manufacturers, repackagers, wholesale distributors and dispensers have taken the first steps on this mandated 10-year journey toward a "national traceability solution" intended to prevent counterfeit and adulterated drugs from entering our nation’s bloodstream and the pharmaceutical supply chain.

However, complex serialization milestones loom, the next one being November 2017. And by 2023, the DSCSA mandates item-level (not lot-level) traceability that will allow regulators and supply chain partners to track all prescription drugs indirectly back to the initial manufacturer or repackager.

Based on an easy round one and a seemingly languid 10-year implementation timeline, companies may be lulled into thinking there’s plenty of time to prepare for rounds two and three of the DSCSA. That would be a big mistake because the data processing tasks that lie ahead are unprecedented in size and scope.

And when it comes to compliance, there’s no margin for error.

Start Scrambling Now

Phase I of the DSCSA required stakeholders to 1) implement lot-level traceability (including sharing of transaction information, transaction history and transaction statement — also known as the 3Ts); 2) deal only with authorized trading partners; and 3) set up a response mechanism for notification of an illegitimate or suspect product. Manufacturers, repackagers and wholesalers finished Phase I in May 2015, while dispensers (retail and hospital pharmacies) have until March of 2016. (The U.S. Food and Drug Administration ("FDA") slipped both deadlines via an enforcement grace period from the DSCSA’s original 2015 deadlines of January and July after a request from industry.)

By many accounts, Phase I implementation was a non-event. The main new task for most stakeholders was to register on the FDA’s portal, as basic (often paper-based) lot-level tracing mechanisms already were in place at many firms. Now companies are turning their attention to Phase II: full electronic drug serialization. The DSCSA requires that by November 2017, manufacturers will have to mark packages with a National Drug Code (a unique three-segment product identifier), serial number, lot number and expiration date. Serialization deadlines for repackagers, wholesalers, and dispensers follow in 2018, 2019 and 2020.

The implementation of DSCSA serialization will pack a financial punch. Pharmaceutical Commerce magazine estimates product serialization will cost from $150,000 to $300,000 per packaging line (there are tens of thousands of packaging lines around the world, though many already are serialized). Similarly, information technology ("IT") software/services firm Accellos reports that manufacturers and other supply chain participants will pay from $30 million to $40 million to implement the IT systems necessary to electronically store and transmit serial codes and transaction histories as mandated by the 2017-2020 DSCSA implementation milestones.

It’s hard to overestimate the magnitude of the systems re-engineering (and subsequent tweaking) that will be necessary for all links in the U.S. drug supply chain to come into compliance with the DSCSA. Although 2017 is still two years away, the time to start scrambling is now.

Companies can mitigate risk by following these three steps:

Mind your 3Ts and SOPs

Pressure test your systems

Seize opportunities where others see burdens

Mind your 3Ts and SOPs

Building or refining existing systems to produce lot-level product tracing data and transaction reporting (aka the 3Ts) was just a baby step on the road to serialized, item-level traceability. Although paper reporting on transactions is allowed until 2017, forward-looking companies will go beyond the near-term requirements and develop interoperable electronic reporting systems well in advance of the deadline. That will leave time to work out the inevitable kinks.

As a rule, DSCSA milestones should not just be met but need to be exceeded in order to streamline the implementation process. At the same time, companies will have to write (and rewrite) new standard operating procedures ("SOP"), as well as provide training for a vast number of routine activities. Every company will need a gated rollout plan.

Teams of experts dedicated to the implementation should keep on top of fast-breaking DSCSA developments. For example, the FDA is still accepting public docket comments on key guidelines and is revising the requirements and procedures (the agency originally was supposed to produce draft standards for all DSCSA provisions by November 2014, but some regulatory standards won’t be available until late November 2015). Consequently, the implementation schedule is a moving target, further complicating planning.

The 2017 requirements for serialization with end-to-end tracing mean that manufacturers (to be followed in subsequent years by the rest of the supply chain) must track the movement of billions of items with tens to hundreds of partners, including outsourcing vendors.

Communicating efficiently and effectively will be a challenge, not to mention handling the sheer volume of data generated as businesses process and store information (for at least six years) pertaining to an immense number of transactions.

The DSCSA’s 10-year calendar may appear to be a leisurely time frame, but the pace of compliance preparations should be furious. The timetable demands that short-, mid- and long- term goals be defined for government relations, IT, logistics, and track and trace/enterprise resource planning vendors, to name just a few of the affected business units.

The 3Ts of DSCA Product Tracing Information

Transaction information
Paper or electronic document that includes the name of the product, strength and dosage form; National Drug Code; container size; name and address of seller and purchaser; and other DSCSA-specified information.

Transaction history
Paper or electronic statement that includes the transaction information for each prior transaction back to the manufacturer.

Transaction statement
Paper or electronic attestation by the entity transferring ownership of the product that it is authorized under the DSCSA; the product was received from an authorized party; and other specified information

NOTE: All tracing information must be kept for six years. The DSCSA pre-empts state tracing laws and regulations, including any record keeping and pedigree requirements. The 2015 regulations allow paper document submission, but by November 2017, all tracing information must be created, received, stored and retrieved (within pre-specified time periods such as 48 hours for a suspect product) electronically, and all products must be marked with a two-dimensional matrix barcode.

Pressure Test Your Systems

Once your interim goals have been achieved and your systems are operational, it will be time to conduct a stress test to expose weak links in your chain. Don’t wait for regulators to find them for you.

For example, the two-dimensional matrix barcode that manufacturers must place on all packages by 2017 will require new processes and equipment. The goal is to produce clear barcodes that are readable by handheld scanners such as those that likely will be used in retail and hospital pharmacies. Random spot testing of barcode quality (employing the same quality scanners that the average pharmacy uses) is just one example of how firms can monitor the quality of their efforts

Additionally, manufacturers should ensure that their vendors are complying with these mandates. This could involve agreed-upon contractual obligations, as well as the ability to audit vendors to verify that they are in compliance.

The DSCSA requires the FDA to conduct pilot programs and hold public meetings in addition to other efforts necessary to support efficient and effective implementation. Companies should jump on news about pilots (on July 31, for instance, the FDA inconspicuously posted a Request for Proposal, seeking bids from consulting organizations to run the program, which likely will launch in 2016) or other meaningful forms of engagement with regulators. Such programs may offer companies an opportunity to get a reality check on their own compliance implementations.

A comprehensive readiness checklist, updated at regular intervals, can help assess risks. But the job is not finished once a box is marked off or a milestone recedes. A firm that sailed past the deadline for trading exclusively with authorized partners (i.e., firms registered in the FDA’s online database) should double back periodically to scrutinize recent transactions and note the status of each entity. If an unauthorized trading partner pops up, corrective action should be swift (based on well-developed SOPs). The occurrence of repeat offenses should be preventable through systemic controls.

Importantly, if and when a system fails a key compliance test, companies must identify the root cause of the failure, not just fix the immediate problem at hand.

Seize Opportunities Where Others See Burdens

Compliance is not just about avoiding costly penalties and public relations disasters — it’s about building a culture of quality that is at the core of any successful business. Ultimately, a world with a verifiably secure drug supply chain not only offers safety for patients, it also allows protection for businesses that create valuable, innovative intellectual property in the form of new drugs.

As a former Johnson & Johnson supply chain security executive, Ron Guido has persuasively argued that compliance spending can be recast from a budget line item with zero complementary business value to compliance with a return on investment ("C-ROI").

How can companies realize C-ROI? This can be accomplished by aggressively leveraging the process improvements that innovative technologies, refined SOPs and expanded data capture inevitably will introduce.

For example, a fully electronic traceability system has the potential to promote best practices in inventory accuracy and velocity, the tracking of new sales orders and the processing of product returns, as well as the mitigation of financial liability for expired and damaged goods. The type of detailed, real-time inventory management necessary to effect end-to-end traceability augments IMS Health prescription data and enables more agile sales and marketing strategies. Market planning, targeting, segmentation, sizing and compensation clearly are enhanced when prescriber- and plan-level prescription data are combined with comprehensive inventory tracking and intelligence.

The Early Bird Gets the C-ROI

Companies that can achieve compliance to the 2023 DSCSA standards in advance of the deadline will be able to pressure test their own systems, identify gaps and weaknesses, and adjust accordingly. Thus, early adopters will realize the biggest returns on this significant compliance investment. Complacency and/or a slow-moving DSCSA implementation schedule are high-risk practices in the current environment.